12/28/2023 0 Comments Splunk lookup thresholdIf it is, set the recent variable to 1, if it is not, set it to 0. To determine what that field should be set to, perform a conditional check to see if the latest event time is greater (more recent) than the current time minus 5 minutes. The earliest event should go to a maximum of 24 hours in the past and group this data by the host name.Ĭreate a new field called “recent”. Run a tstats search to pull the latest event’s “_time” field matching on any index that is accessible by the user. Let’s take a look at the SPL and break down each component to annotate what is happening as part of the search: Screenshot of Splunk showing host without any new events in last 5 minutes. | eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")įigure 1. | tstats latest(_time) as latest where index=* earliest=-24h by host In the case where you want to be notified when events are no longer being received by a certain host, a search can be crafted to compare the timestamp of the events from the host to the relative time window. Alert When There is No Data From a Specific Host Once we understand these items, we can now craft a search within Splunk to detect and alert when an event has not been received.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |